Blackmailing Trojan encrypts hard-driveKaspersky Lab asks for help cracking it

By Nick Farrell: Wednesday, 11 June 2008, 8:06 AM

KASPERSKY Lab has asked the world, plus dog, to help it crack the key to a Trojan that encrypts your hard drive and then demands cash for the key.

Gpcode has been used in isolated "ransomware" attacks for the last two years. The latest version encrypts all .bak, .doc, .jpg and .pdf and deletes the originals. It then erases itself after leaving a message about where to buy a decryption tool.

Kaspersky said that the files the malware encoded cannot be decrypted because it uses a very strong, 1024-bit key.

The insecurity outfit estimates it would take around 15 million modern computers, running for about a year, to crack such a key.

The company has broken Gpcode's encryption keys in the past, but that was only because the malware's maker had made mistakes implementing the encryption algorithm. µ

Actually depending on where the money is going, it can be hard to track. Well I mean track to the final source. You transfer the money through a few sources and then end up in an unfriendly country and it amazingly disappears. I just hope most people will not be so naive as to assume just by sending money to buy this decryption tool will correct their problem.

Reminds me of a conference I was just at.... where they suggested using 'loosing' of encryption keys for documents as a method for 'destroying' the documents as per a life-expiration thing. I chuckled at the idea, but this reminds me of it for some reason. None the less, yeah I have heard of this before.

It is not too hard to hide the trail of money these days... especially if you can move it through some particular foreign countries that make retrieving data VERY difficult. I am not going to get into detail because I don't want to give a tutorial on how to do this and get away clean but let's just say that foreign commodities are a great way to leave a dead end. Use your imagination from there...

My co-workers and I were actually called in on an investigation where this happened to an executive of a child company of ours. Lucky for us this version of ransomware used rot13 and not a 1024 bit key which would have sucked for us considering local IT had not implemented backups for their executives laptops....

-Jordan

-JordanCEPT, CREA, C|EH, MCSE:Security (too many others that I don't care about to list)